OpenID Connect behavior

book

Article ID: 121501

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction



We'd like to know if the following token issued by CA Single Sign-On
is a JWT Signed Token.

The first part of the decripted token doesn't have the "typ" header 
and as such we'd like you to confirm that this token is a JWT. 


kid: "65804645-989e-4833-8dd7-f17c7782ea00", 
alg: "RS256" 
}. 

sub: "CN=myname,OU=myuser,O=myorganization", 
aud: "c11d5f88-3bba-4a66-8faf-58d6bbb8547z", 
mail: "[email protected]", 
auth_time: 1540223760, 
iss: "https:\/\/mymachine.mydomain.com:9443", 
exp: 1540227660, 
permisos: "Rol2^Rol1", 
iat: 1540223760, 
nonce: "5zugzYdnoOoIKAxbxwqHmVoxFvtlLoeo8i8Hluvzsiie", 
nombre: "Name of myname" 
}. 
[signature] 

Environment

Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP
Component:

Resolution

At first glance, the "typ" header is optional. 

JSON Web Token (JWT) 

"Use of this Header Parameter is OPTIONAL." 

https://tools.ietf.org/html/rfc7519#page-11 

The section : 


kid: "65804645-989e-4833-8dd7-f17c7782ea00", 
alg: "RS256" 
}. 

is the jws header parameters given by CA Single Sign-On. 

CA SSO 12.8 is an Certified OpenID Connect 
implementation. Please refer below link for information. 

https://openid.net/certification/ 

So CA SSO 12.8 is an Certified OpenID Connect implementation, as 
OpenID Connect 1.0 RFC already set that the ID Token confirm the JWT 
Signed and Encrypted contents in the Token.